Hi, The default jail does not check on the lines you mention.
Not really weird, since the log message explicitly states that no auth
attempt is performed. Somebody is connecting but did not send auth
details, and your dovecot didn't tell them whether the auth credentials
were working or not. This could be a bot (albeit a very stupid or simple
one, because it does not try to use TLS), or it could be a user that has
his IMAP client configured incorrectly.
Anyway: no auth details, so no dictionary attack. Feel free to add
custom regexes on your own system though.
Kind regards,
Tom
On 13-12-17 18:46, Gao wrote:
> Hi list,
>
> My mail server using dovecot v2.2.33 on CentOS 7. I installed fail2ban
> v0.9.7 from EPEL repo. I just noticed the dovecot filter seems not
> working. My maillog have entries:
> Dec 11 22:14:00 mail dovecot: imap-login: Disconnected (no auth attempts
> in 0 secs): user=<>, rip=208.100.26.233, lip=10.11.22.68, TLS
> handshaking: SSL_accept() failed: error:1408A0C1:SSL
> routines:ssl3_get_client_hello:no shared cipher, session=<oBeRjh5gZ8nQZBrp>
> Dec 12 03:10:02 mail dovecot: pop3-login: Disconnected (no auth attempts
> in 0 secs): user=<>, rip=208.100.26.235, lip=10.11.22.68, TLS
> handshaking: SSL_accept() failed: error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=</7xDsSJgZ+DQZBrr>
>
> But the test show no match:
> # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf
>
> Running tests
> =============
>
> Use failregex filter file : dovecot, basedir: /etc/fail2ban
> Use log file : /var/log/maillog
> Use encoding : UTF-8
>
> Results
> =======
> *Failregex: 0 total*
>
> Ignoreregex: 0 total
>
> Date template hits:
> |- [# of hits] date format
> | [24406] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?:
> Year)?
> `-
>
> Lines: 24406 lines, 0 ignored, *0 matched*, 24406 missed
> [processed in 3.56 sec]
>
> Missed line(s): too many to print. Use --print-all-missed to print all
> 24406 lines
>
> I enabled dovecot in jail.local:
> [dovecot]
> enabled = true
> port = pop3,pop3s,imap,imaps,submission,465,sieve
> logpath = %(dovecot_log)s
> backend = %(dovecot_backend)s
>
> I just use the default dovecot filter:
> # cat /etc/fail2ban/filter.d/dovecot.conf
> # Fail2Ban filter Dovecot authentication and pop3/imap server
> #
>
> [INCLUDES]
>
> before = common.conf
>
> [Definition]
>
> _daemon = (auth|dovecot(-auth)?|auth-worker)
>
> failregex =
> ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
> failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S*
> rhost=<HOST>(?:\s+user=\S*)?\s*$
> ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted
> login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(
> in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):(
> user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?:
> handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL
> routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(:
> Disconnected)?)?(, session=<\S+>)?\s*$
> ^%(__prefix_line)s(?:Info|dovecot:
> auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\):
> pam_authenticate\(\) failed: (User not known to the underlying
> authentication module: \d+ Time\(s\)|Authentication failure \(password
> mismatch\?\))\s*$
> ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)):
> (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
> ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info:
> ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
>
> ignoreregex =
>
> [Init]
>
> journalmatch = _SYSTEMD_UNIT=dovecot.service
>
>
> Could someone help me on this? I must missed something here. BTW other
> filters work fine.
>
> Thanks.
>
> Gao
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
